We have been trying to figure out how to do this. DRY was one reason, but the more important reason was to make changes to the @Secured roles less cumbersome in production. Building a new version and redeploying the app to production is an expensive proposition at most of our customers and requires a full-blown software release process. For that reason, we externalize all but a few specific configuration properties in an external Config.groovy that can be administratively changed without an application release (we use external-config-reload).
Summary: Our customers would get a lot more value from this JIRA if the @Authorities lists could be obtained from the app config and therefore be externalize-able and (via plugin) reloadable